Fractional Security & AI-Governance Lead
Most companies do not fail their frameworks because they lack a standard. They drift because nobody owns the operating discipline between audits - the risk register goes stale, reviews slip, and the real position surfaces only when a customer or regulator asks.
Kellwick runs that engine for you. A fractional lead keeps the frameworks you actually answer for operating month to month - ISO 27001 upkeep, DORA and NIS2 obligations where they apply, privacy and AI governance - so your business stays ready without a full-time hire.
Who owns these between audits?
The engine, not a standard
ISO 27001, DORA, NIS2, privacy and ISO 42001 each define what your business has to prove. A fractional lead is the delivery model that keeps all of them operating - the risk register current, the reviews on cadence, incident reporting ready and the board informed. It fits a company with real obligations but no in-house GRC owner.
Why the gap becomes expensive
Between audits, the operating discipline is what slips first. By the time a surveillance visit, a supervisor or an enterprise buyer looks, the drift is already visible.
A standard tells you what to prove. It does not keep your risk register current, run your access reviews, assess your suppliers or report the real position to your board. That work is a job - and when it is nobody's job, it stops happening.
If no one owns the operating rhythm, the frameworks are already drifting.
The questions behind every framework
Quick self-check
Prefer to start small? Look at ongoing support options - a lighter first step before a full retainer.
The operating rhythm
This is the discipline that keeps frameworks alive between audits - a defined cadence with owners and dates, not a scramble the quarter before a visit.
| Cadence | Activity | What it means |
|---|---|---|
| Monthly | Operating cadence | Risk register updates, control-owner check-ins, open-action tracking and a written status the leadership team can read. |
| Quarterly | Access & supplier reviews | Access reviews across the stack and supplier / third-party reviews run on a schedule, not only when a customer asks. |
| Quarterly | Board-level reporting | A short, honest position on where the frameworks stand, what changed and what needs a decision - reported to the board. |
| Ongoing | Incident-reporting readiness | The classification test and reporting workflow kept ready, so a real incident is handled to plan rather than improvised. |
| Annual | Internal audit & management review | The mandatory activities genuinely happen, with findings that lead to corrective actions - not a box ticked the week before an audit. |
| As needed | Resilience-testing cadence | A testing programme kept moving where DORA or your own risk appetite calls for it, with findings tracked to closure. |
Not ready for a full review?
Start with a 2-day Mini Gap Review.
Scoped and priced on a short call. We hand back your top Stage 1 blockers and the single next step that matters most.
What the retainer gives you
One accountable lead for the compliance frameworks you have to answer for - the person an auditor, a regulator or an enterprise buyer can actually talk to.
The register kept current and mapped to real controls, so it drives decisions instead of gathering dust between audits.
Access reviews, supplier and third-party reviews and evidence checks happening on schedule, with a record a reviewer can follow.
Internal audit, management review and surveillance-audit prep kept on track, so certification bodies find a system that operates.
A short, honest report on where every framework stands - the position leadership needs and the accountability regulators increasingly expect.
Without a fractional lead
That last sentence is where surveillance audits go wrong.
With a fractional lead
Frameworks it spans
The retainer covers only the frameworks that genuinely reach your business. We scope that on the first call.
| Framework | What the lead runs | Note |
|---|---|---|
| ISO 27001 | ISMS upkeep and surveillance-audit prep | Certifiable, on a three-year cycle with surveillance audits between certifications. |
| DORA | ICT-risk, incident-reporting and resilience obligations where they apply | Regulation (EU) 2022/2554; applied to EU financial entities from 17 January 2025. |
| NIS2 | Obligations where the directive reaches you | An EU directive, transposed into national law. |
| GDPR / ISO 27701 | Records of processing, DSAR and data-transfer discipline | ISO 27701:2025 is a stand-alone privacy management system standard. |
| ISO 42001 | AI governance as AI reaches the product | A certifiable AI management system standard. |
Certification is decided by accredited certification bodies; DORA and NIS2 are supervised by regulators. Kellwick runs the operating discipline behind these obligations; it does not certify or supervise.
How it runs
A short scoping call establishes which frameworks genuinely reach your business - ISO 27001, DORA, NIS2, privacy, AI governance - and where the operating gaps are today.
We agree the rhythm: risk-register updates, access and supplier reviews, incident-reporting readiness, internal audit and management review, and board reporting - with owners and dates.
The retainer keeps the frameworks operating month to month. Control ownership stays inside your business; the lead keeps the system honest, current and audit-ready.
What usually drifts without an owner
Book this if
Led by a CQI/IRCA-trained ISO 27001 Lead Auditor
CQI/IRCA ISO/IEC 27001:2022 Lead Auditor trained. IRCA Associate Auditor - ISMS. CQI Practitioner Member - PCQI. 18 years in IT, SaaS, fintech, product and operations.
Kellwick is an independent advisory practice, not a certification body.
Retainer options
No fixed packages and no list price. The cadence and coverage are scoped on a call, then confirmed in a retainer that fits.
Scoped on a call
A scaleup or SaaS with one or two frameworks to run and no in-house GRC owner.
Scoped on a call
Fintech and regulated technology companies answering for several frameworks at once - ISO 27001, DORA or NIS2, privacy and AI governance.
Scoped on a call
Certified companies that want a light, steady rhythm so the management system does not drift between surveillance visits.
This is for you if
This is not for you if
Why Kellwick
A fractional lead only works if the person running it understands how the frameworks operate in practice - not just the clauses. The work is led by a CQI/IRCA-trained ISO/IEC 27001 Lead Auditor with deep experience across SaaS, fintech, product operations and risk-heavy environments.
That matters because the operating discipline touches how teams build, access, change, monitor, approve, review and respond. The retainer keeps that system honest and current, and reports it to the board - it does not replace your internal control owners.
FAQ
No. A fractional lead gives your company senior security and AI-governance leadership on a retainer, without the cost of a full-time hire. It suits a business with real compliance obligations that cannot yet justify a full-time CISO.
No. It is the engine that runs the frameworks, not a standard. ISO 27001 and ISO 42001 are certifiable; DORA and NIS2 are EU regulation and directive. The retainer keeps whichever of those genuinely reach your business operating between audits and reviews.
No. Control ownership stays inside your company. The lead keeps the operating rhythm honest and current - risk register, reviews, audit prep, board reporting - and works with the people who run the controls day to day.
Only the ones your business actually has to answer for. That commonly means ISO 27001 ISMS upkeep, DORA and NIS2 obligations where they apply, privacy under GDPR and ISO 27701, and AI governance under ISO 42001. We scope it to your obligations, not a generic checklist.
ISO 27001 runs on a three-year cycle with surveillance audits between certifications. The moment attention moves on, the risk register goes stale and reviews slip. A light retainer keeps the system operating so surveillance is a check, not a scramble.
On a call. The cadence and coverage depend on which frameworks reach you, your certification status and how much internal ownership already exists. We confirm scope first, then agree a retainer that fits.
From the blog
Everyone agrees with least privilege in principle. The hard part is running it in a fast-moving SaaS company without grinding engineering to a halt.
Read →Evidence & Audit PrepMost evidence libraries decay within months of certification. The fix is designing one that produces evidence as a byproduct of normal work.
Read →SaaS Security GovernanceThe real question is not which framework is better. It is which one your buyers are demanding, and what unlocks the deals in front of you.
Read →Put an owner on the engine that runs it.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.